Which TLS config is supported by the clients?

📱 Desktop & mobile clients
1

We’re trying to determine if there would be a problem with some of the Nextcloud clients if we tighten security on the Box. See


for all the details.

The recommendation for people who want to strengthen their setup will be:

  • Ban Nextcloud OSX client
  • TLSv1.2 only
  • ECDH only
  • 384bits curve only
  • Drop support for HMAC-SHA1
  • SSL compression off
  • Disable session ticket
  • Enable OCSP stapling

Here is the list of ciphers:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

@ios @Andy @rullzer @LukasReschke

2

At the moment the desktop client running on OS X doesn’t support TLS v1.1 and v1.2. Thus it requires 1.0.

This is something I want to change but at the moment it requires some Qt monkeypatching … :see_no_evil: – But it’s certainly on the todo…

On Windows it should work just fine…

1 Like
3

I’ll package a snap to test so that people can provide feedback :slight_smile:

4

I think no problem but do you have a Box access for a debug connection test ?

5

You can install the snapd daemon on many Linux distributions: https://snapcraft.io

And then it’s easy to install the test Snap and test connections :slight_smile:

6

aaarghhh find time !! Too many things to do :disappointed_relieved:

1 Like
7

see Settings for hardened TLS/SSL & A+ on SSLlabs (Apache ssl.conf file) this should be possible but drops support for Android <4.4 - so for that scenario installations would either have to live with that fact (cutting of clients <4.4.) or should be able (and do so) weaken ciphers TLS version. From the Android client side we can activate ciphers for 16+. The Android client itself should imho support TLS1.2 already. (so we should just have to solve the cipher issue).

1 Like
8

Thanks!

The plan has been changed. The default will be weak because of OSX, but people will have the possibility to make it more secure by SSHing to their box.

That way, the server owner can make the decision based on the pool of devices which connect to it, without giving you any extra work and if they want to have TLSv1.2 support for their older Android devices, then they can always hire a member of the Android team to do that :slight_smile:

2 Likes
9

Good stuff @oparoz

As @LukasReschke said on windows and Linux it all should work fine. But let me know if you run into trouble.

10

The AMD64 snap of Nextcloud in this thread can be used to test various security settings: